More Blogs

More Details Emerge On Stuxnet

It's not often that malware like Stuxnet comes around. Stuxnet appears to be the new black at the Virus Bulletin 2010 conference, currently ongoing in Vancouver. Everyone's talking about it.

The mountain of research and just plain blabbing about Stuxnet there includes a paper from Symantec entitled Win32.Stuxnet Dossier. It summarizes what we know (or rather what Symantec knows) on the matter and adds some interesting new details dug out of the innards of the code. There's also a great Stuxnet Questions and Answers from F-Secure.

Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.

Updates itself through a peer-to-peer mechanism within a LAN.

Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.

Contacts a command and control server that allows the hacker to download and execute code, including updated versions.

Contains a Windows rootkit that hide its binaries.

Attempts to bypass security products.

Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.

Hides modified code on PLCs, essentially a rootkit for PLC.

Stuxnet was discovered in July but seems to have existed for at least a year prior. Microsoft said at VB2010 that there's evidence that Stuxnet code dates back to January 2009. This is both impressive in and of itself, and confirmation of the sophistication of the programming in Stuxnet.

But Stuxnet is not without technical criticism. Threatpost quotes Trend Micro virus researcher Ivan Macalintal expressing surprise that the worm's authors allowed it to escape and attack elsewhere, even in the US. "It should have been more successful and stayed off the radar," said Macalintal. In a press call Friday morning Liam O'Murchu, researcher at Symantec Security Response. joined Macalintal in this position.

O'Murchu added that there are many controls built into Stuxnet to prevent it from spreading haphazardly. The USB stick infector keeps a counter and only allows 3 infections per stick. Once running on a system it only attempts to spread for 21 days. These were clearly put in because the authors wanted for Stuxnet not to spread beyond it's target.

I feel a bit obtuse for saying so, but I don't understand why it's so hard to see it spreading. It seems clear to me that it didn't spread widely until fairly late in life, and that's why it was finally uncovered. And with 7 different infection mechanisms (including USB, weak network shares, Conficker/Downadup, the print spooler vulnerability), even with the infection throttling built in, it was only a matter of time before someone accidentally took it outside a secured network.

Who wrote it? There's still no rock-solid evidence there, although the Symantec report includes two new points which, they say, vaguely implicate Israel. The first:

In the driver file, the project path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb was not removed.
Guavas are plants in the myrtle (myrtus) family genus. In addition, according to Wikipedia, "Esther was originally named Hadassah. Hadassah means 'myrtle' in Hebrew." Esther learned of a plot to assassinate the king and "told the king of Haman's plan to massacre all Jews in the Persian Empire...The Jews went on to kill only their would-be executioners."

Right. Or maybe the author likes yummy guavas. Symantec agrees and adds: "Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party."

The other concerns a registry value named "NTVDM TRACE" maintained by Stuxnet:

If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a "do not infect" marker. If this is set correctly infection will not occur. The value appears to be a date of May 9, 1979. While on May 9, 1979 a variety of historical events occurred, according to Wikipedia "Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day."

Once again, they don't want to make too much of it: "Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party."

Sophos's Graham Cluely speculates that someone with "inside knowledge of how Siemens' systems work" was responsible, at least for the PLC programming parts. This seems somewhat reasonable, as you can't write such programs without at least the ability to test them on the hardware. But that doesn't mean that the person with knowledge of how to program Siemens PLCs did or did not work for Siemens.

None of this is really takes us all that much further. The "myrtle" reference seems like it could be a lot of things and the date could be someone's birthday. I'm sure there are lots of dates one could point to as somehow connected to some party involved with this. And more to the point, at this quality level of espionage one shouldn't be surprised to find misdirection. Why would so professionally-written a piece of software, one which goes to great lengths to hide its origins, have clues like this built into it? Surely the authors knew that if it was uncovered it would be disassembled and the details analyzed.

Fundamentally we still don't know anything for sure about who wrote it. I can think of quite a few groups I would think capable of it, although getting it into the facilities to infect them is beyond the capacity of even the most talented programmer who lacks Iranian secrecy clearances. This is why it's highly likely, if not certain, that some state actor with first-class espionage capabilities is responsible.

[Note: I have in the past, and continue to write for VeriSign, which is now a part of Symantec, including on matters related to Stuxnet.]

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service